A method and compiler for compiling hierarchical command based policy rules to a flat filter list structure adapted for storage in a content addressable memory (CAM), wherein the policy rules are organized in a tree-structure of classifiers. First, all of the possible search paths in the tree structure are found, and then only the valid search paths according to defined criteria are added to the flat filter list. The CAM may be a Ternary content Addressed memory.

Patent
   8260886
Priority
Dec 30 2005
Filed
Dec 30 2005
Issued
Sep 04 2012
Expiry
Oct 14 2028
Extension
1019 days
Assg.orig
Entity
Large
3
4
EXPIRED
1. A method of compiling command-based policy rules to a flat filter list structure for storage in a content addressable memory (CAM), said policy rules being organized in a tree-structure of classifiers, wherein a processor is configured to perform the steps of:
(a) finding all the possible search paths in the tree structure;
(b) adding to the flat filter list only the valid search paths according to defined criteria;
(c) transforming a policy map (PMAP) into a flat policy map (F PMAP), wherein the PMAP is a sequence of pairs (CMAPi, Zi), where Zi is the action to be taken for a data packet (P) if it matches the class map CMAPi with permit (deny), and each CMAPi is an ordered pair of a class list (CL) and a corresponding match operator yi that either is set to match ALL (yall) or set to match ANY (yany), and the F PMAP is a list of ordered pairs (Fi, Zi), wherein the list of ordered pairs (Fi, Zi) is the result of steps (a) and (b); wherein step (c) includes:
transforming a class map (CMAP) into a flat class map (F_CMAP), wherein the CMAP comprises the class list (CL), which comprises a sequence of access control Lists (acli), wherein each acli is a sequence of ordered pairs (Fi, xi), where Fi is a filter and xi, is a corresponding matching outcome, wherein xi is either PERMIT or DENY, and the F_CMAP is a second sequence of ordered pairs (Fj, xj), wherein the second sequence of ordered pairs (Fj, xj) is the result of the steps:
(d) listing all search paths by a using a filter intersection between two acls in accordance with the individual order of the acls;
(e) adding only the valid search paths according to the match operator, y, in the CMAP with the same order as in step (d); and
(f) repeating steps (d) and (e) until all the acls in the CL of the CMAP are joined in to a single acl.
2. The method according to claim 1, wherein step (c) includes repeating steps (d)-(f) for each CMAP until all CMAPS are F-CMAPs.
3. The method according to claim 1, wherein step (e) includes determining valid search paths, said determining step including:
for the search path involving only the first acl, determining the path is valid only when any of the following criteria are fulfilled:
Y=YAll and x1,i=X; and
Y=YAny and x1,i=X+;
for the search path involving both acls, determining the path is valid only when any of the following criteria are fulfilled:
Y=YAll and x1,i=X+; and
Y=YAny and x1,i=X.
4. The method according to claim 1, wherein step (c) includes the step of first transforming F_PMAPs into a flat PMAP format according to rules for transforming a single CMAP into a PMAP.
5. The method according to claim 4, wherein step (c) includes the steps of:
(g) determining all possible combinations by using a filter intersection when joining two neighboring F_PMAPs;
(h) adding only the valid elements (F, Z), to the flat PMAP (F_PMAP), if the element fulfills one of the following criteria:
for filters involving only the first F_CMAP: Z1,i≠ZDef, i ε{1, 2, . . . , N1}; and
for filters involving both F_CMAPs: F1,i∩F2,J≠FØ, i ε{1, 2, N1); and jε{1, 2, . . . , N2}; and
(i) repeating steps (g) and (h) until the last CMAP is compiled.
6. The method according to claim 1, wherein the transformation of step (c) involves a combination of a firewall acl and a PMAP to flat filter structure, and step (c) includes the steps of:
inverting the firewall acl by inverting the match outcome in the firewall acl, resulting in ˜ACLFW =((F1, ˜X1), (F2, ˜X2), ... , (FN1, ˜XN), (F*1, ˜X_));
setting the equivalent firewall CMAP to CMAPFW =(˜ACLFW, y*); and
setting the combined firewall acl and PMAP to PMAP+FW =((CMAPFW, ZFW), (CMAP2, Z2), (CMAP3, Z3), ... , (CMAPN, ZN), (CMAP, ZDef)).
7. The method according to claim 1, wherein the content Addressed memory (CAM) is a Ternary content Addressed memory (TCAM).

The present invention relates to IP classification in routers.

The present invention relates to a method for compiling command based router classifiers to an equivalent flat structure that is suitable for storing in Ternary CAM (Content Addressable Memory) for fast look-up.

Internet Protocol (IP) classification is performed in routers. This is the process of classifying IP packets into categories that require special treatment. A subset of IP classification is IP filtering. IP filtering is a security feature that restricts IP traffic by permitting or denying packets by applying certain rules. This way, users can be restricted to specific domains or applications on the Internet. To perform classification, IP headers of packets that reach a router need to be compared to patterns stored in a table, generating an output that classifies the packet. Usually, this table is stored in memory and matching is done in software.

The functionality of filtering and classifying packets treated here is called Multi-field (MF) classification, since it acts on several independent fields in the packet headers, and is used both for Differentiated Services (DiffServ) policy enforcement and security (firewall) filtering.

The IP header fields on which packets can be classified by the filters are:

The command based router classifiers is structured in a tree-like hierarchy with a policy map consisting of class maps, access control lists and filters with their match outcomes, actions and match patterns.

Said structures are built in a hierarchy of the components Filters, ACLs (access control lists, or just access lists), CMAPs (class maps) and PMAPs (policy maps). These components will now be described one by one in more detail with reference to FIG. 1:

Filter—this component cannot be specified alone, but only as part of an including ACL. Each filter consists of a match field and a result. The match field is a bit-pattern, wherein “don't care” is allowed, to test for match against defined header fields of packets to be classified. The result is an indication of whether or not a packet matching the match field is considered to belong to the ACL as a whole. Conventionally the result is called either “permit”, meaning “belongs to ACL”, or “deny”, meaning “does not belong to ACL”. (These conventional terms come from the original restricted use of ACLs, which was only to determine access through a firewall.) For the extended use of ACLs employed now, it is suggested using “+” and “−” instead of permit and deny.

ACL—Access Control List, or just access list, is an ordered list of Filters to be tried for match against packets to be classified, starting at the head of the list, and progressing through until some filter matches, or until the end of the list is reached. If the end of the list is reached without any filter matching, it is deemed that the packet does not match the ACL, which could be considered as an implicit filter at the tail of the ACL having bits “don't care” in the match field and “deny” as the result. Each ACL is defined by a management operation and is given a name to use as reference. Filters can be added and removed from existing ACLs. Note that the order of the filters in an ACL is significant, so the position, priority, of added filters can be specified. ACLs can be used in two ways: as a member of a CMAP (see below) or tied directly to an interface as a firewall filter.

CMAP—Class Map is a set (order not significant) of specified (by name, e.g. reference number) ACLs and match operator, also denoted match mode, which is either match-any or match-all. A packet being classified is considered to belong to a class defined by a CMAP either if it matches any of the ACLs in a CMAP having the match-any attribute or, if, and only if, it matches all the ACLs in a CMAP having the match-all attribute. CMAPs are defined by management operations and given a reference name. Existing CMAPs can also be modified. The only use of a CMAP is by membership in a PMAP.

PMAP—Policy Map is an ordered set of CMAPs to which each CMAP is associated with an action. A PMAP can be tied to an interface, and then all packets passing the interface will be tested against the PMAP, starting with the first CMAP and continuing until the packet is found to belong to a CMAP or until all CMAPs have been exhausted. When the packet is found to belong to a CMAP, the associated action is performed. The possible actions are:

The default action is FORWARD.

Note: When a packet matches a filter having result permit, thus causing the packet to belong to the class defined by a CMAP including this ACL, and in which the CMAP is included in a PMAP with action DROP. The packet is thus dropped due to matching a filter with permit.

Each interface can be tied to at most one PMAP and one firewall ACL (otherwise would not make sense). Inbound and outbound interfaces are treated separately.

Since ACLs are referred to by name, the same ACL can be used in several roles (as member of multiple CMAPs and/or as firewall ACL for various interfaces). Likewise, the same CMAP can be used in multiple PMAPs, and the same PMAP can be tied to various interfaces.

If an interface is tied both to a firewall ACL and to a PMAP, the firewall ACL (ACLFW) is traversed first, and only if a packet is permitted for access is it tested against the PMAP. Interfaces which is not connected to a firewall ACL are implicitly permitted for access.

Due to increasing performance requirements and larger and wider search sets, software-based search algorithms become too slow and alternative implementations need to be considered. One such alternative is to use a Content Addressable Memory (CAM).

A Content Addressable Memory, CAM, is a memory device that has become increasingly valuable during the recent years in some applications. A CAM can perform fast storing and search operations. The CAM provides a performance advantage over memory search algorithms such as binary and tree based searches or look-aside tag buffers by comparing the desired information against the entire list of pre-stored data simultaneously often resulting in an order-of-magnitude reduction of search time. Once information is stored in a CAM location, it is found by comparing every bit in the CAM with the bits of the data in a search expression. If there is a match for every bit in a location with every corresponding bit in the search expression, an output is obtained from the CAM, which is an association value or address pointing to associated information. The associated information may be stored in a conventional memory device such as a RAM. Depending on the application, the RAM can contain information or instructions or operations or the like to be displayed or performed when there is a match between the search expression and the information stored in the CAM. Thus, with a CAM, the data is supplied and the address is obtained.

Because the CAM doesn't need address lines to find data, the depth of a memory system using CAMs can be extended as far as desired, but the width is limited by the size of the chip. For example, a chip can be 64 to 128 bits wide, but 32768 entries deep. It is fairly easy to extend the depth of the CAM, because the addressing is all self-contained.

Some CAMs are so called ternary CAMs in which the stored data can contain bit values of 0, 1 or X, where X is interpreted as “don't care”, i.e. the value matches both 0 and 1.

The function and advantages of the CAM memory makes it very suitable for applications and operations such as LANs, data base management, file storage management, look-up to pattern recognition, and the like, and is particularly suited to performing search operations. To classify a packet, the look-up performance will depend on the search algorithm, and the look-up time is not deterministic using software solutions. Hardware accelerated solutions, such as Ternary Content Addressable Memory (TCAM), will increase the search performance by orders-of-magnitude as the look-up in TCAM entries can be performed with a single operation, typically at one clock cycle. In recent years, TCAMs are becoming faster, bigger and cheaper, and they provide an excellent solution for doing very fast look-ups with deterministic look-up time.

A method in which CAMs of less width are used to store “expressions” in CAMs and to match expressions with the contents of CAMs, where the width of the expressions is larger than the width of the CAMs used, is earlier known from the international patent application WO 02/082458.

From the U.S. Pat. No. 6,484,170 techniques for generating searchable data entries in a CAM, such as binary or ternary CAMs, are earlier known. In said document, a method of classifying data networking packets and a packet classifier based on subfields of a packet header are also described.

Packet classification by using TCAMs is earlier known and treated in a document “Efficient Mapping of Range Classifier into Ternary-CAM” by Huan Liu, published on the internet by Department of Electrical Engineering, Stanford University, CA 94305.

In practice, complications arise because the desired classification rules to be enforced on the traffic flow, as defined by a network manager, consist of a tree-like structure in which it is required to look for more than one possible match against each packet in the flow. Such a structure is straightforward and easy to follow manually, or by a procedural program, but not by a linear CAM array which terminates search at the first matching entry. However, CAMs, such as TCAMs, can only store flat structures and a tree-like hierarchy cannot be stored in it directly. To get a table of CAM entries to provide a behaviour corresponding to that of the tree-like structure, the filter rules must be “flattened” to a linear array, taking advantage of the CAM's ternary capability (“don't care” match at required bit positions). The implementation of the “flattening” of the filter tree is called the “Filter Compiler”. Therefore, an algorithm is needed for compiling the command based router classifiers with a tree-like hierarchy to an equivalent flat CAM friendly structure.

One of the objects with the present invention is to provide an algorithm for compiling the command based router classifiers with a tree-like hierarchy to an equivalent flat CAM friendly structure.

Therefore, the present invention solves the problem to compile command based policy rules to a format, such as a flat filter list structure, adapted for storage in a Ternary Content Addressable Memory (TCAM), by a method that involves steps of finding all the possible search paths in the tree structure and steps of only adding the valid search paths according to defined criteria to the flat filter list.

An advantage with the present invention is that it provides a computerized method to compile the command based router classifiers with a tree-like hierarchy to an equivalent flat CAM friendly structure. This will save a lot of time and money as the work to transform filter rules from tree-structure to flat structure does not have to be performed manually. This is especially interesting when converting old filter rule systems to TCAM solutions.

The present invention will now be described in more detail with reference to following drawings:

FIG. 1 is a diagram schematically showing a tree-like filter structure and a flat filter structure.

FIG. 2 is a block diagram illustrating an application of the present invention.

FIG. 3 is a block diagram illustrating TCAM application for IP address look-up.

FIG. 4 is an illustration of a filter rule represented as TCAM entry.

FIG. 5 is a flow-chart illustrating a first embodiment of the present invented method.

The functionality of filtering and classifying packets treated here is called Multi-field (MF) classification, since it acts on several independent fields in the packet headers, and is used both for Differentiated Services (DiffServ) policy enforcement and security (firewall) filtering.

FIG. 2 is a block diagram illustrating an application of the present invention. The present invention is illustrated as a filter compiler that is used to transform a database of classifiers in a Differentiated Services (DiffServ) application. When defining a policy for IP traffic in DiffServ, filter are used. Said filter, or rather filter rules, is organized in a tree-like structure of classifiers such as Access control lists, Class Maps and Policy Maps. To speed up the seeking process for filter match, a Content Addressable Memory (CAM) can be used to store the filter entries. As CAM has a flat structure and it searches all the entries at the same time, it is not suitable to store a tree-like structure in a CAM. Thus it is necessary to have a filter compiler to transform the tree-like filter structure to a flat database.

FIG. 3 is a block diagram illustrating TCAM application for IP address look-up.

The use of TCAM memory for classification is straight-forward. Each entry in the TCAM consists of a vector of three-valued bits corresponding to certain fields in the header of an IP packet, therefore the name “ternary CAM” can be used. The value of each three-valued bit position can be 0, 1, or x, where x means “don't care”. A search in the CAM is performed by the hardware HW against a packet by applying the header fields of the packet (a vector of only 0's and 1's) to the CAM's internal logic. The CAM then, using fast parallel logic, finds the first “matching” entry (priority arbitration) and outputs its address (reference number 2 in the figure). This address is then used to access a normal associated SRAM memory, from which a pre-stored output is fetched “Next Hop 3”, which affects the further handling of the packet.

The combination of the match pattern in the CAM and the output value in the associated SRAM address is referred to as a “CAM entry”.

Thus setting up filtering and classification in the hardware consists of inserting into certain CAM positions a pattern which will match a sought-after packet, and writing the corresponding output-SRAM position an instruction to the HW guiding treatment of the packet. To achieve “wire speed” processing of IP packets arriving on high-speed links. The actual treatment of individual IP packets is therefore performed in hardware. Software is used to configure and control the hardware so that it can do its job efficiently, and correctly according to the intentions of the network manager, which through e.g. a command line interface to a router can apply various filtering and packet-treatment policies.

FIG. 4 is an illustration of an example of a filter rule represented as TCAM entry. A filter rule is an ordered pair (F,X) where F is filter and X is the match outcome, e.g. action taken when the filter matches an incoming packet. The filter consists of one or more bit fields—in this case 5 tuples—each field corresponding to a header field an incoming packet, and an associated value. The difference in filter representation between a binary CAM and ternary CAM is also illustrated. The TCAM is able to use the “don't care” value (x or *) in the bit positions. The IP header fields on which packets can be classified by the filters are:

The present invention is a method for transforming tree-like organized classifiers to “flat filter” structure. The invention is implemented in computer software programming for computers and data processing. The different steps of the invention is possible to code into computer software instructions in different computer program languages and coding. As mathematical theory often is very useful for describing methods and for guiding computer software programming, the invented method will be described hereafter by using the theory of sets.

First some basic terms has to be defined in accordance to the theory of sets.

S = ( s 1 , s 2 , , s n ) = ( i = 1 n < s i > ) ,

( i = 1 m < s 1 , i > ) + ( j = 1 n < s 2 , j > ) = ( s 1 , 1 , s 1 , 2 , , s 1 , m , s 2 , 1 , s 2 , 2 , , s 2 , n ) = ( s 1 , s 2 , , s m + n ) = ( i = 1 m + n < s i > )

Notice that a sequence differs from a set in that the order of the element in a sequence is of importance (and duplicated elements are not redundant), while in a set,

A = { a 1 , a 2 , , a n } = i = 1 n { a i } ,
the order is of no importance, and duplicated elements are redundant and thus can be removed.

A sequence with n elements is also called an n-tuple. A 2-tuple is also called an ordered pair, S=(s1, s2).

Operations such as union and intersection can be applied to two sequences, X1 and Y2, with the same size, n elements:

X 1 Y 1 = ( x 1 , x 2 , , x n ) ( y 1 , y 2 , , y n ) = ( i = 1 n < x i > ) ( i = 1 n < y i > ) = ( x 1 y 1 , x 2 y 2 , , x n y n ) = ( i = 1 n < x i y i > ) and X 1 Y 1 = ( x 1 , x 2 , , x n ) ( y 1 , y 2 , , y n ) = ( i = 1 n < x i > ) ( i = 1 n < y i > ) = ( x 1 y 1 , x 2 y 2 , , x n y n ) = ( i = 1 n < x i y i > )

F 1 F 2 = ( f F 1 , 1 , f F 1 , 2 , , f F 1 , n ) ( f F 2 , 1 , f F 2 , 2 , , f F 2 , n ) = ( f F 1 , 1 f F 2 , 1 , f F 1 , 2 f F 2 , 2 , , f F 1 , n f F 2 , n ) = i = 1 n < f F 1 , i f F 2 , i >
where the operation fF1,i∩fF2,i(iε{0, 1, . . . n}) is defined in Table 1.

TABLE 1
Intersection of two filter elements
fF1, i∩fF2, i 0 1 * Ø
0 0 Ø 0 Ø
1 Ø 1 1 Ø
* 0 1 * Ø
Ø Ø Ø Ø Ø

If there exists at least one i(iε{0, 1, . . . , n}), fF1,i∩fF2,i=Ø, then F1∩F2=FØ.

The classifiers will now be described in terms of the mathematical theory.

A classifier can be represented by a Policy Map (PMAP), and the building blocks in a PMAP hierarchy at different levels are:

An ACL is a sequence of ordered pairs (F, X), where F is a filter and X is the corresponding matching outcome, Xε{permit, deny}. We use the symbols X+ for permit and X for deny.

ACL = ( ( F 1 , X 1 ) , ( F 2 , X 2 ) , , ( F n , X n ) ) = i = 1 n < ( F i , X i ) >

A packet matches an ACL if there exists at least one Fi(iε{0, 1, . . . , n}) in the ACL, P∩Fi≠FØ, The matching outcome is the one for the matching filter with lowest index, i.e. for all Fj where j<i, P∩Fj=FØ, the match outcome will be Xi.

An ACL always ends with an implicit, if not already existing, universal filter (F*) with a default match outcome (usually is the deny match outcome, X), so a packet always matches this one with the outcome (X) if no other matches encountered prior to this.

Class Map (CMAP) and Class List (CL)

A Class List (CL) is a sequence of ACLS,

CL = ( ACL 1 , ACL 2 , , ACL n ) = i = 1 n < ACL i >

And a CMAP is an ordered pair of Class List and a corresponding match operator (Y):

CMAP = ( CL , Y ) = ( ( ACL 1 , ACL 2 , , ACL n ) , Y ) = ( ( i = 1 n < ACL i > ) , Y )
where the match operator Yε{match all, match any}. We use the symbols Yall for match all operator and Yany for match any operator.

For match all operation, a packet matches a Class Map with X+ (permit) if there exists at least one filter, which is the first matching filter in the ACL, with the match outcome X+ (permit) in each of the ACLs of the Class List. In other words, the packet must match all ACLs in the CL of the CMAP with the match outcome X+ (permit). If in any ACL, the first matching filter has an outcome X (deny), the match has an outcome X (deny) for the CMAP.

For match any operation, a packet matches a CMAP with X+ (permit) if and only if it matches at least one filter, which is the first matching filter encountered, with the match outcome X+ (permit) from at least one ACL in the CL of the CMAP. In other words, the packet can match any of ACLs in the CL of the CMAP with the match outcome X+ (permit). If in any ACL, the first matching filter has outcome is X (deny), the match has an outcome X (deny) for the CMAP.

Notice that the order of ACLs in a CL is of no importance. So a CMAP can then be rewritten as:

CMAP = ( { ACL 1 , ACL 2 , , ACL n } , Y ) = ( { i = 1 n { ACL i > } } , Y )

If there exists only one ACL in the CL of a CMAP, the match all and match any are equivalent.

Note: In the presentation of the invention, it has been chosen that for match all operation or match any operation, a packet matches a Class Map with X+ (permit). However, the invented algorithm is not limited to packet matches a Class Map with X+ (permit), deny is applicable in some applications.

Policy Map (PMAP)

A policy map (PMAP) is a sequence of pairs (CMAP, Z) where Z is the action to be taken for the packet if it matches the CMAP with permit. The actions are typically Forward, Drop, Remark DSCP Field in the IP Header and so on.

PMAP = ( ( CMAP 1 , Z 1 ) , ( CMAP 2 , Z 2 ) , , ( CMAP n , Z n ) ) = ( i = 1 n < ( CMAP i , Z i ) > )

A packet matches a PMAP if and only if it first matches a CMAPi, with the outcome X+ (permit) and the corresponding action Zi will be performed for the packet. If a packet does not match any of the CMAPs or all the CMAPs match with outcome X (deny), a default action ZDef is performed for the packet. So a PMAP is implicitly equivalent to:

PMAP = ( ( CMAP 1 , Z 1 ) , ( CMAP 2 , Z 2 ) , , ( CMAP n , Z n ) , ( CMAP * , Z def ) ) = ( i = 1 n < ( CMAP i , Z i ) > , ( CMAP * , Z Def ) )

The universal CMAP, CMAP*, contains only one ACL, the universal ACL*, together with a universal match operator, Y*:

In general, a PMAP can be expressed by:

PMAP = ( i = 1 N < ( CMAP i , Z i ) > )
where the last element is the implicit universal CMAP with default action, (CMAP*, ZDef).

As the classifiers have been defined in accordance to the theory of sets, the invented algorithm for transforming tree-like organized classifiers to flat filter structure, a kind of list structure, will now be present with reference to FIG. 5.

One important mathematical operation used hereafter is the intersection between two sets, i.e. the intersections between two filters. The filter intersection has been earlier defined as the intersection between two filters:

F 1 F 2 = ( f F 1 , 1 , f F 1 , 2 , , f F 1 , n ) ( f F 2 , 1 , f F 2 , 2 , , f F 2 , n ) = ( f F 1 , 1 f F 2 , 1 , f F 1 , 2 f F 2 , 2 , , f F 1 , n f F 2 , n ) = ( i = 1 n < f F 1 , i f F 2 , i > )
where fF1,i∩fF2,i is defined in Table 1.

The first section, sub-algorithm A or section A, of the present invention is the transformation of a CMAP into flat filter structure, hereafter denoted as F_CMAP.

A Class Map (CMAP) is defined as:

CMAP = ( CL , Y ) = ( ( ACL 1 , ACL 2 , , ACL n ) , Y ) = ( ( i = 1 n < ACL i > ) , Y )

When a packet matches a CMAP, the result is a match outcome Xε{permit, deny}. So there exists an equivalent ordered sequence of (Fi, Xi) which defines the exact same classification rules as in the CMAP.

F_CMAP = ( ( F 1 , X 1 ) , ( F 2 , X 2 ) , , ( F N , X N ) ) = ( i = 1 n < ( F i , X i ) > )

The last element in the ordered sequence is (F*, X). As in all the ACLs the last element is implicitly (F*, X).

It can be seen that the resulting flat CMAP, F_CMAP, has the same structure as in an ACL. To transform a CMAP to an F_CMAP, two neighboring ACLs in the CL of the CMAP can be joined into one equivalent ACL, and eventually all the ACLs will be transformed into a single equivalent ACL as the CL.

Two ACLs are as follows:

ACL 1 = ( ( F 1 , 1 , X 1 , 1 ) , ( F 1 , 2 , X 1 , 2 ) , , ( F 1 , m , X 1 , m ) ) = ( i = 1 m < ( F 1 , i , X 1 , i ) > ) and ACL 2 = ( ( F 2 , 1 , X 2 , 1 ) , ( F 2 , 2 , X 2 , 2 ) , , ( F 2 , n , X 2 , n ) ) = ( i = 1 n < ( F 2 , j , X 2 , j ) > )

To emphasize the implicit terminating element (F*, X) in every ACL, we rewrite the ACLs:

ACL 1 = ( ( F 1 , 1 , X 1 , 1 ) , ( F 1 , 2 , X 1 , 2 ) , , ( F 1 , m , X 1 , m ) , ( F * , X 1 , - ) ) = ( i = 1 m < ( F 1 , i , X 1 , i ) > , ( F * , X 1 , - ) ) and ACL 2 = ( ( F 2 , 1 , X 2 , 1 ) , ( F 2 , 2 , X 2 , 2 ) , , ( F 2 , n , X 2 , n ) , ( F * , X 2 , - ) ) = ( i = 1 n < ( F 2 , j , X 2 , j ) > , ( F * , X 2 , - ) )

We rewrite ACL1 and ACL2 in a more general form:

ACL 1 = i = 1 N 1 < ( F 1 , i , X 1 , i ) > and ACL 2 = j = 1 N 2 < ( F 2 , j , X 2 , j ) >
where the last element in both ACLs is the implicit, if not otherwise already existing, universal filter with match outcome deny.

The algorithm for transforming them into a single one is as follows:

i = 1 N 1 < ( F 1 , X i ) + j = 0 N 2 < ( F 1 , i F 2 , j , X j ) >>

As for any F(Fi≠FØ), F∩F2,*=F, so the last element in the F_CMAP is always (F*, X).

The joined ACL, ACL1+2, is:

ACL 1 + 2 = ( i = 1 N 1 < ( F 1 , i , X 1 , i ) Y = Y All , X l , i = X - or Y = Y Any , X I , i = X + ) + j = 1 N 2 < ( F j , X j ) Y = Y All , X l , i = X + or Y = Y Any , X l , i = X - >> )

ACL1+2 can be joined with next ACL in the CL, ACL3. Therefore:

By repeating these steps, all the ACLs in the CL of the CMAP can be joined in to a single one.

F_CMAP = ( ( F 1 , X 1 ) , F 2 , X 2 ) , , ( F N , X N ) = ( i = 1 N < ( F i , X i ) > )
where the last element is the implicit universal deny filter, (F*, X).

The next section, section B or sub-algorithm B, of the invented method is to transform a PMAP into a flat filter structure, i.e. F_PMAP.

A Policy Map (PMAP) is defined as:

PMAP = ( ( CMAP 1 , Z 1 ) , ( CMPAP 2 , Z 2 ) , , ( CMAP m , Z m ) ) = ( i = 1 m < ( CMAP i , Z i ) > )
where the last element is the implicit terminating universal CMAP* with the default action ZDef.

As a CMAP can be represented by an equivalent F_CMAP,

F_CMAP = ( ( F 1 , X 1 ) , ( F 2 , X 2 ) , , ( F N , X N ) = ( i = 1 N < ( F i , X i ) > )
where the last element is the universal deny filter, (F*, X), we can rewrite the PMAP after converting ACLs in all CMAPs into F_CMAPs as:

PMAP = ( ( F_CMAP 1 , Z 1 ) , ( F_CMAP 2 , Z 2 ) , , ( F_CMAP n , Z n ) , ( CMAP * , Z Def ) ) = ( ( ( F 1 , 1 X 1 , 1 ) , ( F 1 , 2 , X 1 , 2 ) , , ( F 1 , N 1 , X 1 , N 1 ) , ( F * , X - ) ) , Z 1 ) , ( ( F 2 , 1 X 2 , 1 ) , ( F 2 , 2 , X 2 , 2 ) , , ( F 2 , N 2 , X 1 , N 2 ) , ( F * , X - ) ) , Z 2 ) , . ( ( F n , 1 , X n , 1 ) , ( F n , 2 , X n , 2 ) , , ( F n , Nn , X n , Nn ) , ( F * , X - ) ) , Z n ) , ( CMAP * Z Def ) )

The flat PMAP structure can be defined as

F_PMAP = ( ( F 1 , Z 1 ) , ( F 2 , Z 2 ) , , ( F M , Z M ) ) = i = 1 M < ( F i , Z i ) >
where the last element is the universal default filter, (F*, ZDef).

To transform a PMAP into F_PMAP format, first all the CMAPs are transformed into F_CMAPS. Then join two neighboring F_CMAPs in the PMAP and transform into the flat structure as defined by the F_PMAP, and continue this until the last F_CMAP in the PMAP is transformed.

Two F_CMAPs are as follows:

To join two neighboring elements in a PMAP,

( i = 1 M < ( F i , Z i ) > ) ,
the following steps are used:

Join two neighboring F_PMAPs, starting with the first F_PMAP as one of the F_PMAPs in the first iteration and thereafter using the combined iterated F_PMAP in the following iterations, into a single F_PMAP in accordance to the following steps:

i = 1 N 1 < ( F 1 , i , Z 1 ) + j = 0 N 2 < ( F 1 , i F 2 , j , Z 2 ) >>

In this case the implicit universal default filter, (F*, ZDef), terminating both F_PMAPs, is included.

The last element in the F_PMAP is (F1,*, ZDef) as all F_CMAPs end with the element (F*, X).

We can express the combined F_PMAP with:

The combined two neighboring CMAPs can be expressed as:

F_PMAP 1 + 2 = i = 1 N 1 < ( F 1 , i , Z 1 ) Z 1 , j Z Def + j = 1 N 2 < ( F 1 , i F 2 , j , Z 2 ) F 1 , i F 2 , j F >>

By repeating steps B2 and B3 until the last CMAP is compiled, we get a flat PMAP as:

F_PMAP = ( ( F 1 , Z 1 ) , ( F 2 , Z 2 ) , , ( F M , Z M ) ) = i = 1 M < ( F i , Z i ) >
where the last one is the implicit universal default CMAP, (CMAP*, ZDef).

The above presented method is a first embodiment of the invention. A second embodiment of the invention is used when compiling a combination of a firewall ACL and a PMAP to flat filter structure.

A firewall ACL is defined as:

We have an existing PMAP:

Firewall rules are usually used prior to the PMAP, so the combined firewall ACL with a PMAP can be represented by:

The CMAPFW is equivalent to the original firewall ACL and ZFW is the defined action when a packet matches a filter rule in the ACL, such as “Drop”. The default action can be “Forward” when firewall ACL is used alone, and “Continue” when the packet needs to be filtered/classified further.

The algorithm for compiling a firewall ACL to an equivalent (CMAPFW, ZFW) is as follows:

The inverting operator, ˜, is defined for the match outcome as follows:

So the inverted firewall ACL can be rewritten as:

~ ACL FW = ( ( F 1 , ~ X 1 ) , ( F 2 , ~ X 2 ) , , ( F N , ~ X N ) , ( F * , X + ) ) = ( i = 1 N < ( F i , ~ X i ) > )
where the last one is the universal permit filter, (F*, X+).

It can be compiled to a flat PMAP, F_PMAP+FW, using the described algorithm according to section B of the invented compiling algorithm.

F_PMAP + FW = ( i = 1 M < ( F i , Z i ) > )
where the last element is the universal default filter, (F*, ZDef).
Optimization.

The flat filter structure for a PMAP can be defined as:

Following rules to optimize the entries:

Optimization rule A: An element in an F_PMAP, (Fi, Zi), is redundant if Ficustom characterFj where iε{1, 2, . . . , N) and j<i

where Ficustom characterFj is true if and only if Fi∩Fj=Fi using the rules defined in Table. 1.

A more general rule is:

Optimization rule B: An element in an F_PMAP, (Fi, Zi), is redundant if Ficustom character(F1∪F2∪ . . . ∪Fi−1) where iε{2, . . . , N)

Notice that optimization rules A and B apply to an ACL as well.

The methods presented here is general and can be applied to a single ACL, CMAP, PMAP or a combination of all these.

Further Possibilities.

So far, the action Zi associated with match of a CMAPi, in a Policy Map (PMAP)

P M A P = ( ( CMAP 1 , Z 1 ) , , ( CMAP i , Z i ) , , ( CMAP n , Z n ) , ( CMAP * , Z Def ) ) = ( i = 1 n + 1 < ( F i , Z i ) > )
has been a single action (e.g. Forward, Drop, Remark DSCP field). The filter rule look-up is finished as soon as a match is found in a CMAP, and the corresponding action will be taken.

However, there are occasions when it is suitable to process a packet in several steps, e.g. multiple actions being taken for one packet along the processing pipeline. One simple example is the combined firewall ACL and Policy Map, where in the firewall ACL, the action to be taken is Continue to PMAP if it is a match with permit and the action is Drop if there is a match with deny.

In a Policy Map, the first action may involve a control flag such as Z1=Remark DSCP field and continue to the next CMAP. The second action Z2 can be defined as Set MPLS tag and Transmit. If a packet matches both CMAP1 and CMAP2, two actions will be taken, first the DSCP field in the packet is remarked, then based on the new DSCP value, the packet is tagged with an MPLS value and transmitted. Hence, the static rule now becomes a dynamic one, as the packet header has been changed due to the first action taken. Two approaches can be used to solve the problem:

1) Multiple Compilation and Search Method

As the packet header is changed, it is not possible to use the same header information for doing a look-up of filter rules. Thus it is necessary to do multiple searches with separate CMAPs and the corresponding action is taken after each search using the most recent updated header information.

2) Single Compilation and Search Method

If the header information is changed in the packet due to a match in the first CMAP, it is possible to replace the filters in CMAP2 with the relevant filters in CMAP1. Take the example mentioned above, there are two filters, F1,1 and F1,2 in CMAP1 that will cause the remarking in DSCP field in the packet to a certain DSCP value, which is defined in a filter F2,1 in CMAP2. Thus it is possible to replace F2,1 with F1,1 and F1,2 in CMAP2 in compiling to a single flat PMAP. It is easily understood that this can easily cause TCAM entry blow-ups and the algorithm is getting more complicated.

The multiple compilation and search method described in 1) will cause suffering in speed, as the search time is proportional to the number of multiple searches, compared to the single search method described in 2). However, the single search method can easily cause blow-ups in number of entries. Thus there is a trade-off between speed and storage when comparing method 1) with 2). Generally, method 2) is more complicated to implement using a TCAM and can easily cause blow-up of entries.

The present invention also relates to a computer program product comprising a computer readable memory storage and stored computer readable software code involving program instructions capable of controlling a central processing unit of a computer or a microprocessor. When executed by the computer or microprocessor, the program instructions cause the computer or microprocessor to perform the steps of the method of the present invention.

Any computer readable memory storage of any kind that is available for sale on the market is possible to use for storing the computer readable software code comprising the invented algorithm.

The present invention is not limited to the above-described preferred embodiments. Various alternatives, modifications and equivalents may be used. Therefore, the above embodiments should not be taken as limiting the scope of the invention, which is defined by the appending claims.

Kling, Lars-Örjan, Penny, Robert E, Jin, Yonghui

Patent Priority Assignee Title
10470076, Aug 24 2016 TELEFONAKTIEBOLAGET LM ERICSSON PUBL Wireless device and methods therein for mapping data packets to radio bearers in a wireless communications network
11221967, Mar 28 2013 Hewlett Packard Enterprise Development LP Split mode addressing a persistent memory
9449007, Jun 29 2010 EMC IP HOLDING COMPANY LLC Controlling access to XAM metadata
Patent Priority Assignee Title
6917946, Aug 12 2002 International Business Machines Corporation Method and system for partitioning filter rules for multi-search enforcement
7698125, Mar 15 2004 SOUTHERN CALIFORNIA, UNIVERSITY OF Training tree transducers for probabilistic operations
20040170172,
20110213738,
////
Executed onAssignorAssigneeConveyanceFrameReelDoc
Dec 30 2005Telefonaktiebolaget LM Ericsson (publ)(assignment on the face of the patent)
Jun 23 2008JIN, YONGHUITELEFONAKTIEBOLAGET LM ERICSSON PUBL ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0227240682 pdf
Jun 23 2008PENNY, ROBERTTELEFONAKTIEBOLAGET LM ERICSSON PUBL ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0227240682 pdf
Jun 24 2008KLING, LARS-ORJANTELEFONAKTIEBOLAGET LM ERICSSON PUBL ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0227240682 pdf
Date Maintenance Fee Events
Mar 04 2016M1551: Payment of Maintenance Fee, 4th Year, Large Entity.
Apr 27 2020REM: Maintenance Fee Reminder Mailed.
Oct 12 2020EXP: Patent Expired for Failure to Pay Maintenance Fees.


Date Maintenance Schedule
Sep 04 20154 years fee payment window open
Mar 04 20166 months grace period start (w surcharge)
Sep 04 2016patent expiry (for year 4)
Sep 04 20182 years to revive unintentionally abandoned end. (for year 4)
Sep 04 20198 years fee payment window open
Mar 04 20206 months grace period start (w surcharge)
Sep 04 2020patent expiry (for year 8)
Sep 04 20222 years to revive unintentionally abandoned end. (for year 8)
Sep 04 202312 years fee payment window open
Mar 04 20246 months grace period start (w surcharge)
Sep 04 2024patent expiry (for year 12)
Sep 04 20262 years to revive unintentionally abandoned end. (for year 12)